From 7af34db0446f1c5eb7122578d3caae9a17b59227 Mon Sep 17 00:00:00 2001
From: Tiger Kaovilai <passawit.kaovilai@gmail.com>
Date: Fri, 16 Jan 2026 17:25:30 +0700
Subject: [PATCH 1/2] Add restrictive security context to registry pod and init
 containers

Fixes #7039

Signed-off-by: Tiger Kaovilai <passawit.kaovilai@gmail.com>
---
 .../operator/registry/fbcindex/fbc_registry_pod.go    | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/internal/olm/operator/registry/fbcindex/fbc_registry_pod.go b/internal/olm/operator/registry/fbcindex/fbc_registry_pod.go
index 4abc2f238af..eb15579eea9 100644
--- a/internal/olm/operator/registry/fbcindex/fbc_registry_pod.go
+++ b/internal/olm/operator/registry/fbcindex/fbc_registry_pod.go
@@ -148,8 +148,7 @@ func (f *FBCRegistryPod) Create(ctx context.Context, cfg *operator.Configuration
 			},
 		}
 
-		// Update the Registry Pod container security context to be restrictive
-		f.pod.Spec.Containers[0].SecurityContext = &corev1.SecurityContext{
+		restrictedSecurityContext := &corev1.SecurityContext{
 			Privileged:               pointer.To(false),
 			ReadOnlyRootFilesystem:   pointer.To(false),
 			AllowPrivilegeEscalation: pointer.To(false),
@@ -157,6 +156,14 @@ func (f *FBCRegistryPod) Create(ctx context.Context, cfg *operator.Configuration
 				Drop: []corev1.Capability{"ALL"},
 			},
 		}
+
+		// Update the Registry Pod container security context to be restrictive
+		f.pod.Spec.Containers[0].SecurityContext = restrictedSecurityContext
+
+		// Update all init containers with the same restrictive security context
+		for i := range f.pod.Spec.InitContainers {
+			f.pod.Spec.InitContainers[i].SecurityContext = restrictedSecurityContext
+		}
 	}
 
 	if f.ImagePullPolicy == "" {

From e9a876b4c51480107371d992a624913cba2b3b12 Mon Sep 17 00:00:00 2001
From: Tiger Kaovilai <passawit.kaovilai@gmail.com>
Date: Fri, 16 Jan 2026 17:29:08 +0700
Subject: [PATCH 2/2] Add changelog fragment for init container security
 context fix

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Signed-off-by: Tiger Kaovilai <passawit.kaovilai@gmail.com>
---
 .../fix-fbc-init-container-security-context.yaml       | 10 ++++++++++
 1 file changed, 10 insertions(+)
 create mode 100644 changelog/fragments/fix-fbc-init-container-security-context.yaml

diff --git a/changelog/fragments/fix-fbc-init-container-security-context.yaml b/changelog/fragments/fix-fbc-init-container-security-context.yaml
new file mode 100644
index 00000000000..97383fe55a8
--- /dev/null
+++ b/changelog/fragments/fix-fbc-init-container-security-context.yaml
@@ -0,0 +1,10 @@
+# entries is a list of entries to include in
+# release notes and/or the migration guide
+entries:
+  - description: >
+      Fixed `operator-sdk run bundle` with `--security-context-config=restricted` to apply
+      the restricted security context to init containers (`registry-grpc-init`), not just
+      the main container. This resolves PodSecurity violations on clusters with
+      `restricted` policy enforcement.
+    kind: bugfix
+    breaking: false